The Federal Trade Commission staff believes significant changes are needed in how businesses collect, use and transfer information regarding individuals. On December 1, 2010 the FTC issued a 122-page report that recommends a broad new legal framework for protecting consumer privacy — a framework that would impose many new restrictions on businesses that use data about individuals.

The report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policy Makers,” advocates providing consumers with more control over use of information about themselves; changing the structure, language, provisions and dissemination of privacy policies; and creating a new, browser-based “Do Not Track” mechanism for online behavioral advertising.

The recommendations in the report have a long way to go before they become law. Although the commission unanimously agreed to issue the report, its two Republican commissioners both expressed concerns that the staff recommendations were premature and overly activist. And the commission has requested public comments by January 31, 2011, on more than 50 questions about the workability and details of the recommended legal framework.  

At the outset, the report takes a broad view of the kind of information that requires privacy protection. It would impose new requirements on data gathered offline as well as online, and it would cover not only information that relates to a particular person, but any information that “can be reasonably linked to a specific consumer, computer or device,” including information that can be linked to an individual only through a combination of information from different databases. Thus, much information used by businesses today would be covered by the FTC’s recommended legal framework.

In general, the FTC’s framework, which would be implemented by a combination of legislation, new regulatory requirements and, at least for now, industry self-regulation, would require businesses to provide consumers with more information about how and when information about them is being collected and used; give consumers opportunities to control how the data is used and to verify its accuracy; and lay down specific rules for certain activities, such as a “Do Not Track” option for online behavioral advertising.

Some of the key recommendations in the report include:

  • Businesses should adopt a “privacy by design” approach -- that is, to “integrate privacy into their regular business operations and at every stage of product development,” such as assigning employees to oversee privacy issues, training employees on privacy considerations and performing privacy audits. At all stages of data collection and use, companies would be expected to use and retain data only for specified purposes that are revealed to consumers, and only for so long as the retention is necessary for those purposes.
  • Consumers would ordinarily need to be given “clear” and “easy-to-use” opportunities to express their preferences for what data would be collected and how it is used. They would need to be given this opportunity at the same time and context as when the data is collected—for example, the point of display (for online ads), or the point of download (for mobile phone apps which have the capacity to collect personal data). Where certain especially sensitive information is involved, such as information about children, financial or medical condition or precise geographic locations, the staff believes affirmative, express (or “opt-in”) consent should be required.  
  • Consumers should also be provided with access to the information collected about them, with the extent of access being “proportionate” to the sensitivity of the data collected. Even businesses that don’t interact directly with consumers would need to comply with these new privacy rules, if they collect or use consumer data from other sources. The report anticipates a narrow exception for companies that only use limited and non-sensitive consumer data.  
  • The report recognizes that some “commonly accepted practices” should be exempt from some of the recommended new rules and laws. But the exemptions it recognizes — product and service fulfillment, internal operations, fraud prevention, legal compliance and first-party marketing — appear fairly narrow. The commission has explicitly sought comments on the scope of these exemptions and on what other practices, if any, ought to be recognized as “commonly accepted practices” exempt from privacy-protection rules.  
  • In the case of online behavioral advertising, the report recommends a new federally mandated “Do Not Track” mechanism. There would not be a “Do Not Track” list maintained by the government like the current “Do Not Call” list. Instead, web browsers would incorporate “persistent setting” to implement consumer “do not track” preferences. The report wants the mechanism to offer “granular” choices (i.e., allowing consumers to pick and choose what kind of ads they will see) and yet be “understandable and simple.”  
  • While it would impose new privacy-related tasks and responsibilities on businesses, the report would also require businesses to make their privacy policies far simpler, more standardized and easier to understand than is currently the case.  

In response to the FTC’s release of the Report, Sen. John D. Rockefeller IV (D-W.Va.), Sen. John Kerry (D-Mass.), and Rep. Joe Barton (R-Texas), who each have leadership positions in the privacy area, pledged continued focus on online privacy in the next legislative session.